All requests fail after upgrading Microsoft.AspNetCore.Authentication.JwtBearer from 7.0.14 to 7.0.15

I’m running into an issue when upgrading Microsoft.AspNetCore.Authentication.JwtBearer. The issue was introduced with version 7.0.15 and occurs in all newer versions. Prior to upgrading, the token was able to be parsed and everything worked as expected. No other changes has been made to the code base, the only change is bumping the JwtBearer package from 7.0.14 to 7.0.15.

After upgrading, all requests fail with httpstatuscode 401 and the following www-authenticate header is returned.

www-Authenticate: Bearer error="invalid_token", error_description="The signature key was not found"

Authentication is added with the following code. In Program.cs:

appBuilder.Services.AddAuthentication(Encoding.UTF8.GetBytes(appBuilder.Configuration
                                                                       .GetSection("JwtBearerTokenSignatureKey")
                                                                       .Value))

In an extension class:

public static AuthenticationBuilder AddAuthentication(this IServiceCollection services,
                                                      byte[] signingKey)
{
    services.AddAuthentication(authOptions =>
    {
        authOptions.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        authOptions.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    })
    .AddJwtBearer(jwtOptions =>
    {
        jwtOptions.SaveToken = true;
        jwtOptions.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateAudience = false,
            ValidateIssuer = false,
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = new SymmetricSecurityKey(signingKey),
            ValidateLifetime = true,
            LifetimeValidator = LifetimeValidator
        };
        jwtOptions.MapInboundClaims = true;
    });
}

private static bool LifetimeValidator(DateTime? notBefore,
                                      DateTime? expires,
                                      SecurityToken securityToken,
                                      TokenValidationParameters validationParameters)
{
    return expires != null && expires > DateTime.UtcNow;
}

What’s misconfigured here?

  • What do u send for byte[] signingKey?

    – 

  • Add ValidateIssuerSigningKey = true, and ValidIssuer = configuration[“JWTSettings:Issuer”], ValidAudience = configuration[“JWTSettings:Audience”]. U can read for other cases where a similar problem happened: stackoverflow.com/questions/58563661/…

    – 

  • The byte[] is the bytes from the secret key. Nothing strange there, I would assume.

    – 

Leave a Comment